Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?

ProperCactus

@bmeeks I found my home_net it is set as default and when I click on view list it has:

9.9.9.9/32
10.1.0.0/17
10.128.0.0/20
10.255.255.254/32
127.0.0.1/32
149.112.112.112/32
192.168.1.1/32
192.168.1.4/32
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.69.0/24
::1/128
fe80::2e0:67ff:fe26:3f6a/128
fe80::2e0:67ff:fe26:3f6b/128
fe80::2e0:67ff:fe26:3f68/128
fe80::2e0:67ff:fe26:3f69/128
fe80::5a9c:fcff:fe10:ff9a/128

external_net is just that list with a '!' in front of each value

@bmeeks would I be right in thinking that if the DNS server is on 192.168.2.1 and it's declared as home_net, the rule probably won't fire as it is home_net to home_net not home_net to external_net?

So if client 192.168.2.20 sends DNS query to 192.168.2.1 it's going to be a home_net to home_net and thus not trigger alert right?

Actually I checked and the rule is to any so it should fire:

alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks I just noticed all the snort rules are unticked anyway.

I use DoT on the upstream from unbound on pfSense to upstream DNS however on the local network all devices are using normal DNS (tcp/udp 53) and I used to get alerts when I would visit .to website but not anymore. I even force dns resolution using nslookup to DNS server on the interface being monitored by Suricata, it definitely should fire alert.

Where can I find $HOME_NET to edit it?

HOME_NET is automatically populated with default values that should be correct in almost every instance. You can see the actual content by visiting the INTERFACES tab, choosing the Edit icon beside the interface in question, then scrolling down to the HOME_NET drop-down selector. Click the View button just to the right of the drop-down to see the variables content.

To customize HOME_NET you would need to create a custom Pass List and then assign that list by choosing it in the drop-down selector for HOME_NET. But rarely, if ever, is there a need to change from the defaults.

First, make sure Suricata is actually running on the interface by using this command from a shell prompt on the firewall console to see the process:

ps -ax | grep suricata

You should see one or more running Suricata processes. Make sure there are no duplicates (meaning two Suricata instances running on the exact same interface).

Look carefully at the entire suricata.log file for the interface on the LOGS VIEW tab. Make sure there are no other errors in that log besides the Snort rule syntax errors.

Edit: your posted values for HOME_NET look fine assuming those IP subnets are correct for your firewall.

You can also visit the RULES tab when editing a Suricata interface and choose the "Active Rules" category in the Category drop-down selector. That will load and display only the actual active rules that Suricata is enforcing. Be sure your DNS rules are listed in there.

ProperCactus

@bmeeks

Yea the subnets in home_net are what I am using, interesting that it puts my upstream DNS in home_net though.

ps -ax | grep suricata shows me 1 suricata process on each interface I expect it on (2 interfaces total)

4035  -  Ss     5:00.80 /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_137_igb2/suricata.yaml --pidfil
99424  -  Ss     5:00.32 /usr/local/bin/suricata -i igb1 -D -c /usr/local/etc/suricata/suricata_49846_igb1/suricata.yaml --pidf
 7752  0  S+     0:00.00 grep suricata

Definitely the rule is enabled when I select Active rules

ProperCactus

@bmeeks and this is the end of my suricata.log after all the filter errors:

15/3/2022 -- 02:23:31 - <Info> -- 2 rule files processed. 44300 rules successfully loaded, 43 rules failed
15/3/2022 -- 02:23:31 - <Info> -- Threshold config parsed: 0 rule(s) found
15/3/2022 -- 02:23:34 - <Info> -- 44300 signatures processed. 1840 are IP-only rules, 5796 are inspecting packet payload, 26492 inspect application layer, 108 are decoder event only
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
15/3/2022 -- 02:26:01 - <Info> -- Using 1 live device(s).
15/3/2022 -- 02:26:01 - <Info> -- using interface igb1
15/3/2022 -- 02:26:01 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
15/3/2022 -- 02:26:01 - <Info> -- Set snaplen to 1518 for 'igb1'
15/3/2022 -- 02:26:02 - <Info> -- RunModeIdsPcapAutoFp initialised
15/3/2022 -- 02:26:02 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started.

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks and this is the end of my suricata.log after all the filter errors:

15/3/2022 -- 02:23:31 - <Info> -- 2 rule files processed. 44300 rules successfully loaded, 43 rules failed
15/3/2022 -- 02:23:31 - <Info> -- Threshold config parsed: 0 rule(s) found
15/3/2022 -- 02:23:34 - <Info> -- 44300 signatures processed. 1840 are IP-only rules, 5796 are inspecting packet payload, 26492 inspect application layer, 108 are decoder event only
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
15/3/2022 -- 02:26:01 - <Info> -- Using 1 live device(s).
15/3/2022 -- 02:26:01 - <Info> -- using interface igb1
15/3/2022 -- 02:26:01 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
15/3/2022 -- 02:26:01 - <Info> -- Set snaplen to 1518 for 'igb1'
15/3/2022 -- 02:26:02 - <Info> -- RunModeIdsPcapAutoFp initialised
15/3/2022 -- 02:26:02 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started.

The above all looks fine. Those flowbit errors are not a problem. Many times they are simply a result of errors or typos from the rule creators.

You should be seeing alerts based on what I see in your screenshots. The next step would be to run a packet capture on the firewall interface and verify exactly what is traversing the wire with regards to lookups. Verify in the captured packets whether the "data" the rule is looking for is actually in cleartext.

ProperCactus

@bmeeks dunno if it matters but there is a lot of errors like this as well, so many that I can't copy paste them all:

15/3/2022 -- 02:23:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 35604
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36412
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36660
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 37990
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38661
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38662
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40031
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40032

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks dunno if it matters but there is a lot of errors like this as well, so many that I can't copy paste them all:

15/3/2022 -- 02:23:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 35604
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36412
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36660
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 37990
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38661
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38662
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40031
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40032

These are those Snort rules we discussed earlier whose syntax is not understood by Suricata. Errors like this are expected when using Snort rules in Suricata. Suricata logs the error and ignore those rules, not loading them at all. But none of these rules are your DNS rules. Suricata was not created to use Snort rules. Snort was created to use Snort rules. Suricata was created by a team sponsored by the folks behind Emerging Threats rules, so Suricata was optimized for those rules. While Suricata can import a lot of Snort rules, there are still many that won't work because they use features and syntax supported by Snort that Suricata does not support.

ProperCactus

@bmeeks Weird thing is all those snort rule categories are disabled so how can it be trying to load them???

ProperCactus

@bmeeks packet capture is not showing any packets at all on that interface but that is impossible because how can it receive and respond to DNS queries without packets, and it is definitely the correct IP address for the correct interface (192.168.2.1, igb1 (GREEN))

ProperCactus

@bmeeks got me totally beat because I reset the rules and I have all the snort categories disabled so I don't know why I am getting all those errors for snort rules I don't have enabled?

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks Weird thing is all those snort rule categories are disabled so how can it be trying to load them???

Why do you think these are the categories for those rules? Have you cross-referenced the SID values to actually find the subject rules in these categories? I see at least one of the offending rules as being tagged with the "community ruleset" flag. It's also possible these rules are being imported because of an IPS Policy you may have enabled. Do you have an IPS Policy configured?

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks packet capture is not showing any packets at all on that interface but that is impossible because how can it receive and respond to DNS queries without packets, and it is definitely the correct IP address for the correct interface (192.168.2.1, igb1 (GREEN))

If packet capture on that interface is not showing matching traffic, then how can you expect Suricata to detect it? There may be an alternate route for traffic that it bypassing that firewall interface. Or you may not have properly configured the packet capture settings on pfSense.

ProperCactus

@bmeeks Ah yes indeed I have the "Security" policy set

bmeeks

@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:

@bmeeks Ah yes indeed I have the "Security" policy set

You may want to review in your mind how rules are loaded. It's not simply a matter of categories you check on the CATEGORIES tab. There is IPS Policy (which overrides anything you do on the CATEGORY tab), and there is the SID MGMT tab which can also override CATEGORY tab decisions.

bmeeks

I prefer not to futher contaminate this thread with this conversation because your problem has nothing to do with "commented out" rules. Yours is a completely different issue. Feel free to create a new post thread if you want to continue this.